Analysis Overview
SHA256
cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a
Threat Level: Known bad
The file cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a was found to be: Known bad.
Malicious Activity Summary
Eternity
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-09-08 22:16
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-08 22:16
Reported
2022-09-08 22:21
Platform
win7-20220812-en
Max time kernel
75s
Max time network
72s
Command Line
Signatures
Eternity
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 864 set thread context of 1724 | N/A | C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe
"C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 178.20.44.214:80 | 178.20.44.214 | tcp |
Files
memory/864-54-0x0000000000860000-0x0000000000A98000-memory.dmp
memory/864-55-0x0000000076321000-0x0000000076323000-memory.dmp
memory/864-56-0x00000000007D0000-0x0000000000804000-memory.dmp
memory/864-57-0x00000000020D0000-0x00000000020E8000-memory.dmp
memory/864-58-0x00000000021C0000-0x00000000021DA000-memory.dmp
memory/864-59-0x00000000004B0000-0x00000000004B6000-memory.dmp
memory/1724-60-0x0000000000400000-0x0000000000552000-memory.dmp
memory/1724-61-0x0000000000400000-0x0000000000552000-memory.dmp
memory/1724-63-0x0000000000400000-0x0000000000552000-memory.dmp
memory/1724-64-0x0000000000400000-0x0000000000552000-memory.dmp
memory/1724-65-0x0000000000400000-0x0000000000552000-memory.dmp
memory/1724-66-0x000000000054C1BE-mapping.dmp
memory/1724-68-0x0000000000400000-0x0000000000552000-memory.dmp
memory/1724-70-0x0000000000400000-0x0000000000552000-memory.dmp
memory/1724-72-0x00000000055B0000-0x00000000056FA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-08 22:16
Reported
2022-09-08 22:22
Platform
win10-20220812-en
Max time kernel
150s
Max time network
176s
Command Line
Signatures
Eternity
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3828 set thread context of 4196 | N/A | C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe
"C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 13.89.179.10:443 | tcp | |
| RU | 178.20.44.214:80 | 178.20.44.214 | tcp |
Files
memory/3828-116-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-117-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-118-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-119-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-120-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-121-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-123-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-122-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-124-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-125-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-126-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-127-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-128-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-129-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-130-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-131-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-132-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-133-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-134-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-135-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-137-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-138-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-139-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-136-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-140-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-141-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-143-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-144-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-145-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-142-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-146-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-147-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-148-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-149-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-150-0x0000000000AC0000-0x0000000000CF8000-memory.dmp
memory/3828-152-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-153-0x00000000053D0000-0x000000000546C000-memory.dmp
memory/3828-154-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-151-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-155-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-156-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-158-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-157-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-159-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-160-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-163-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-162-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-165-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-164-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-166-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-161-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-167-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-168-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-170-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-171-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-169-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-172-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-173-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-174-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-177-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-176-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-178-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-181-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-180-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-179-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-175-0x00000000778F0000-0x0000000077A7E000-memory.dmp
memory/3828-196-0x00000000055C0000-0x00000000055F4000-memory.dmp
memory/3828-197-0x0000000006440000-0x000000000693E000-memory.dmp
memory/3828-198-0x0000000006130000-0x00000000061C2000-memory.dmp
memory/3828-201-0x0000000006120000-0x000000000612A000-memory.dmp
memory/3828-205-0x0000000008520000-0x0000000008538000-memory.dmp
memory/3828-208-0x0000000008F00000-0x0000000008F1A000-memory.dmp
memory/3828-209-0x0000000002E20000-0x0000000002E26000-memory.dmp
memory/4196-211-0x000000000054C1BE-mapping.dmp
memory/4196-243-0x0000000000400000-0x0000000000552000-memory.dmp
memory/4196-274-0x00000000060E0000-0x0000000006130000-memory.dmp
memory/4196-280-0x0000000006230000-0x000000000637A000-memory.dmp